If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Think about it, what use is a "blind penetration test"? For any company wishing to run a pen test, they should define what what to test and the expected results beforehand. The testing team should have a high level of knowledge (on a need to know basis of course with considerations of a seperation of duties, otherwise you may be asking for trouble especially if you are a pen test service provider) of the targeted system, this ensures the most efficient (read fastest and least expensive) audit but the most comprehensive.

Indeed. What penetration test? They're only doing some basic noninvasive recon stuff. The only "active" part of this document is the traceroute/nmap. Big deal Any serious security professional should be able to do this blindfolded

Oliver's Law:
Experience is something you don't get until just after you need it.

Just as an FYI, I spoke with GSecur and he wanted me to pass on that the document was never completed. (one of those "intended to but real life interfered"). I think, however, that a blind penetration test may have some value to find those things you don't know about or wouldn't think about. If all tests are done by those who know how things work, then they know what to expect or where to look.

If, however, it's done by someone who doesn't know they will look and poke in more places and may find things that were overlooked by those who are used to the existing sytem.

MsM: That's the reason why you should never test your own stuff. You know how it's build and will test along the same lines. Testing should be done by someone who has absolutely no idea on how you did it or how it works.

Oliver's Law:
Experience is something you don't get until just after you need it.

penetration testing :
The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.

Gsecur hasn't impressed me with anything that I could label as 'legitimate' yet.

This document only add's to that opinion (or lack thereof). To be honest, I think it's like choosing to reinvent the wheel when there is no good reason to. catch said it, its a skiddie circle-jerk disguised as a "white paper".

I do these for a living. This is *NOT* how you go about it, and continue to offer this service as a legitimate, trusted company.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Originally posted here by SirDice MsM: That's the reason why you should never test your own stuff. You know how it's build and will test along the same lines. Testing should be done by someone who has absolutely no idea on how you did it or how it works.

I partly disagree, here is why. You are right about knowing your own system and knowing what security issues you may or may not have. But also knowing or not knowing would give you more time to search in other areas of your computer for vulnerabilities. If you know that you are very secure with exploits of certian programs, the next best thing is to try to find other ways into your system and patch up.

You should always take a second opinion so to speak about your workings, incase you miss something. But someone has to test these things on a computer before commensing to reach out over a network and trying it on someone else.

I agree that you should always get a second opinion on your work. Sometimes people get too close ot their projects and lose that objective point of view you need. Its not on purpose but it is much easier for you to look and see how something -should- work, but ignore ow it is -actually- working